Consumers don’t like hearing bad news, especially when it comes to their personal data. Unfortunately, bad news comes all too often these days. Each day, over 6 million records are lost or stolen in data breaches – or 70 records every second[1]. What’s more concerning is the number of records stolen in the first half of 2019 are up 52% compared to the same time period last year[2].

According to Digital Guardian, there are numerous actions that consumers can take to secure passwords, financial information, and online identities. These include using software or plug-ins to encrypt emails or files, downloading the latest version of software, or switching to a “passphrase” rather than a password (like a lyric to your favorite song). By encouraging these precautions, brands can help mitigate risks if their network were to become compromised in a hack.

Unfortunately, consumers are taking less precautionary measures despite a growing number of threats to their online security. Data breach fatigue, or a sense of numbness towards online security, is harmful to both consumers and brands as it makes them more susceptible and inflicts greater loss when breached.

Understanding data breach fatigue behavior

To gain a better understanding of this behavior in the wild, we looked at 339,334 online conversations about data privacy and security among 187,190 individuals. To quantify breach fatigue behavior, we identified instances where consumers used phrases like “there’s nothing I can do” or “there’s no hope” when discussing personal data. Next, we cross-referenced our online conversations with data from Privacy Rights Clearinghouse, which tracks the number of records stolen via breach over time.

What we found

Interestingly, the number of records stolen in a particular data breach (pink) does not always lead to an increase in online privacy and security conversations (green). Conversation volume spikes in September 2017 and July 2019, the months in which Equifax and Capital One were hacked. However, we don’t see conversation spike in June, July, or November of 2018 when 787 million records were stolen in the hacks of Name Tests, Exactis, and Marriott.

As for data breach fatigue, mentions of fatigue behavior (blue) decline when a large hack takes place – even for the lesser discussed breaches referenced above. This behavior demonstrates that consumers are less indifferent about their privacy when a major hack takes place, indicating that there may be a window of opportunity for brands to encourage proactive behavior in the days or weeks following a major attack.

What can my brand do to combat data breach fatigue among consumers?

Understand how consumers view your brand within the data and privacy landscape

Brands must be aware of how consumers perceive their security infrastructure, especially as it relates to other firms. Take the scatter plot below as an example. We measured net sentiment (y-axis) across four brands who’ve suffered from a major data breach within the last two years: Marriott, Google, Facebook, and Equifax.

Brands like Google, Facebook, and Equifax exist within industries that are commonly associated with privacy, and as a result, these brands are discussed more frequently within the data and privacy conversation (x-axis). Google’s hack led to the lowest number of records being stolen, so it’s not surprising that Google has the most positive net sentiment among consumers. Compare that to Equifax, who had 145.5 million records stolen and the strongest negative sentiment among consumers.

On the other hand, Marriott operates within an industry that is not typically associated with online privacy. Marriott had the largest amount of records stolen, nearly double that of Equifax, and a strong negative sentiment among consumers. What’s surprising is that despite the size of their breach, Marriott is the least discussed brand among within our sample of security and privacy conversations.

From the consumer’s point of view, not all brands are measured equally when it comes to privacy and security. Brands must know where they stand among consumers. Benchmarking your brand against others, based on factors like trust and data privacy, is one way to gain a better understanding of how your brand is perceived among consumers.

Encourage data protection behavior when your consumers are most least likely to be fatigued

If there are actions that a customer can take to secure personal information on your site, leverage the days or weeks following a major breach to inform them of what can be done – even if your firm is unaffected by the breach. Remember, the days following a breach is when we see a decline in breach fatigue conversations, regardless of how much the breach is being talked about.

Don’t expect your consumers to take action on their own. Serve it up to them in an easy and accessible way, like a notification when logging in or an email that provides a step-by-step guide to securing their data. Encouraging consumers to take action, at a time they are less prone to feeling fatigued, will not only provide tangible security benefits, but make consumers feel more secure on your site.

After all, consumers place the security burden on the firms they do business with, expecting them to take all necessary actions to protect their data and mitigate risk. Benchmarking your brand’s perception against other firms will identify lapses in your approach to data security. Armed with this information, brands can take a strategic approach to calling consumers to action, demonstrating that your brand is proactive and serious about protecting customer data.

“Man… this is a bummer. I checked the site. I’m affected. I’ve had my info stolen before through other hacks. This is just a huge pain in the ass. They should fix this. I shouldn’t have to spend time covering my own ass from their mistake.”-Anonymous Neogaf.com User, September 2017